Developer Warns Against Using In-App Browsers on iOS Due to Potential for Keylogging

by

Craig Hockenberry, one of the developers behind Twitterriffic, has written a blog post warning iOS users about in-app browsers, which he says are "considered harmful." According to Hockenberry, and as outlined in a video, an in-app browser has the ability to record what's being typed, even at a secure login screen.

This means an unscrupulous developer could potentially create an app with an in-app browser to capture the usernames and passwords of users who login to websites like Twitter or Facebook with the browser. Many existing apps use in-app browsers to allow users to do things like login with an already existing social media account simply to make the login process easier, but it appears there's also potential for abuse.

A few things to note about what you're seeing:

The information at the top of the screen is generated by the app, not the web page. This information could easily be uploaded to remote server.

This is not phishing: the site shown is the actual Twitter website. This technique can be applied to any site that has a input form. All the attacker needs to know can easily be obtained by viewing the public facing HTML on the site.

The app is stealing your username and password by watching what you type on the site. There's nothing the site owner can do about this, since the web view has control over JavaScript that runs in the browser.

Hockenberry says that acquiring usernames and passwords works in both iOS 7 and iOS 8, and may also work in earlier versions of iOS, but he is quick to point out that it is not a bug, as the techniques demonstrated in the video can be used for "good as well as evil."

Hockenberry does not have a clear solution in mind for Apple, as fixing the core behavior of both WebKit and UIWebView would require the company to update every version of iOS that included Safari and WebKit, but he does suggest the company could protect users with OAuth.

As for end users, Hockenberry warns not to enter private information when using an app that's not Safari. Browsing web content is safe, but he recommends that users open a link in Safari if there are any concerns about private information. More details on the security of in-app browsers, OAuth, and Hockenberry's recommendations can be found in his original blog post.

Popular Stories

iOS 26 on iPhone Feature

Here's When iOS 26 Rolls Out Today in Every Time Zone [Update: Out Now!]

Monday September 15, 2025 12:00 am PDT by
Update 10:06 a.m.: iOS 26 is rolling out now, though it may take a bit for all users to see it, so keep checking! Today's the day! Apple is about to release iOS 26, which will deliver the biggest redesign since iOS 7 and bring a range of new features and improvements to iPhones worldwide. It's Apple's biggest software update of the year, and Apple announced at last week's iPhone event that...
Read Full Article95 comments
Tim Cook Rainbow

Apple Reportedly Plans to Launch These 10 Products in 'Coming Months'

Sunday September 14, 2025 8:45 am PDT by
Apple's annual September event is now in the rearview mirror, with the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, iPhone Air, Apple Watch Series 11, Apple Watch Ultra 3, Apple Watch SE 3, and AirPods Pro 3 set to launch this Friday, September 19. As always, there is more to come. In his Power On newsletter today, Bloomberg's Mark Gurman said Apple plans to release many products in the...
Read Full Article83 comments
iOS 26 Battery Glass Feature

Apple Says Installing iOS 26 Might Impact Battery Life

Monday September 15, 2025 10:56 am PDT by
In the iOS 26 release notes, Apple is warning iPhone users that installing the new software might have a temporary impact on battery life, which is normal. A new support document explains that major iOS updates require background setup like indexing data and files for search, downloading new assets, and updating apps. Further, Apple says that new features could require more resources,...
Read Full Article118 comments
AirPods Pro Firmware Feature

AirPods Pro 2 and AirPods 4 Get iOS 26 Features With New Firmware Update

Monday September 15, 2025 10:50 am PDT by
Apple today released updated firmware for the AirPods Pro 2 and the AirPods 4, introducing support for the new AirPods features that are included in iOS 26, iPadOS 26, and macOS Tahoe. The firmware has a build number of 8A356, and it replaces the current 7E93 firmware. With Apple's new software updates, the AirPods Pro 2 and the AirPods 4 support better audio quality for phone calls and...
Read Full Article67 comments
iphone 17 lineup

iPhone 17 Models Launch on September 19 With These New Features

Friday September 12, 2025 7:58 am PDT by
Apple will launch its new iPhone 17 lineup and ultra-thin iPhone Air in stores on Friday, September 19, and the company has already shown off the new devices at its fall event, which ran with the the tagline "Awe dropping." The iPhone 17 series brings a host of new features and enhancements. Here's a rundown of the biggest upgrades and changes: iPhone 17 Display Changes The iPhone...
Read Full Article17 comments
apple n1 chip

Apple's New N1 Chip in iPhone 17, iPhone 17 Pro, and iPhone Air Has a Wi-Fi 7 Limitation

Saturday September 13, 2025 10:01 am PDT by
The latest iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air models are equipped with Apple's all-new N1 chip for Wi-Fi 7, Bluetooth 6, and Thread connectivity. However, the chip has a Wi-Fi 7 bandwidth limitation. According to FCC documents reviewed by MacRumors, the N1 chip in all of the new iPhone models supports up to 160 MHz channel bandwidth for Wi-Fi 7, short of the...
Read Full Article105 comments
iPhone 17 Pro Air Boxes

iPhone Air and iPhone 17 Pro Boxes Revealed

Sunday September 14, 2025 1:36 pm PDT by
T-Mobile President Jon Freier today shared real-world photos of Apple's boxes for the iPhone Air, iPhone 17 Pro, and iPhone 17 models, which launch on Friday. Image Credit: Jon Freier Apple has typically included iPhone box renders in its product environmental reports, but it did not do so for the latest models. However, Apple's iPhone Upgrade Program page does offer some images of the boxes, ...
Read Full Article74 comments

Top Rated Comments

WilliamG Avatar
WilliamG
143 months ago
I use 1Password, which has an in-app browser. Kind of ironic, really...
Score: 24 Votes (Like | Disagree)
HiRez Avatar
HiRez
143 months ago
And the good news just keeps on coming. I have a feeling Tim Cook will be drinking heavily this weekend.
Score: 21 Votes (Like | Disagree)
sniffies Avatar
sniffies
143 months ago
InAppGate

BrowserGate

FMLgate
Score: 16 Votes (Like | Disagree)
EdgardasB Avatar
EdgardasB
143 months ago
I'm sure he'll be crying into the billions Apple made this week.

Score: 10 Votes (Like | Disagree)
Apollo 13 Avatar
Apollo 13
143 months ago
this would be a problem on any phone not just a ios device.
Score: 10 Votes (Like | Disagree)
HiRez Avatar
HiRez
143 months ago
I'm sure he'll be crying into the billions Apple made this week.
Financially they won't take much of a hit (although AAPL is kind of a separate thing). But what's more valuable than Apple's pile of cash? Their brand. And that is taking a pretty good beating in recent weeks, from the leaked iCloud accounts, the botched keynote video live stream, Tim Cook's awkward moment with Bono that makes them look old and uncool even to old people, the free U2 album download that no one wanted forced on them, the horrendous iPhone 6 preorder fiasco, various iPhone 6 issues, many annoying iOS 8.0 issues (including all HealthKit apps getting pulled from the App Store), to todays botched 8.0.1 "fix" that disables the primary communication stream of iPhones. I mean they will get through it, but it's been kind of rough.
Score: 9 Votes (Like | Disagree)
Read All Comments